{ "schemaVersion": "1.0", "item": { "slug": "proton-pass", "name": "Proton Pass CLI", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/KakatkarAkshay/proton-pass", "canonicalUrl": "https://clawhub.ai/KakatkarAkshay/proton-pass", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/proton-pass", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=proton-pass", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/proton-pass" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/proton-pass", "agentPageUrl": "https://openagent3.xyz/skills/proton-pass/agent", "manifestUrl": "https://openagent3.xyz/skills/proton-pass/agent.json", "briefUrl": "https://openagent3.xyz/skills/proton-pass/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Proton Pass CLI", "body": "Comprehensive password and secret management via the Proton Pass CLI. Manage vaults, items, SSH keys, share credentials, inject secrets, and integrate with SSH workflows." }, { "title": "Quick install", "body": "macOS/Linux:\n\ncurl -fsSL https://proton.me/download/pass-cli/install.sh | bash\n\nWindows:\n\nInvoke-WebRequest -Uri https://proton.me/download/pass-cli/install.ps1 -OutFile install.ps1; .\\install.ps1" }, { "title": "Homebrew (macOS)", "body": "brew install protonpass/tap/pass-cli\n\nNote: Package manager installations (Homebrew, etc.) do not support pass-cli update command or track switching." }, { "title": "Verify installation", "body": "pass-cli --version" }, { "title": "Web login (recommended)", "body": "Default authentication method supporting all login flows (SSO, U2F):\n\npass-cli login\n# Open the URL displayed in your browser and complete authentication" }, { "title": "Interactive login", "body": "Terminal-based authentication (supports password + TOTP, but not SSO or U2F):\n\npass-cli login --interactive user@proton.me\n\nEnvironment variables for automation\n\n# Credentials as plain text (less secure)\nexport PROTON_PASS_PASSWORD='your-password'\nexport PROTON_PASS_TOTP='123456'\nexport PROTON_PASS_EXTRA_PASSWORD='your-extra-password'\n\n# Or from files (more secure)\nexport PROTON_PASS_PASSWORD_FILE='/secure/password.txt'\nexport PROTON_PASS_TOTP_FILE='/secure/totp.txt'\nexport PROTON_PASS_EXTRA_PASSWORD_FILE='/secure/extra-password.txt'\n\npass-cli login --interactive user@proton.me" }, { "title": "Verify session", "body": "pass-cli info # Show session info\npass-cli test # Test connection" }, { "title": "Logout", "body": "pass-cli logout # Normal logout\npass-cli logout --force # Force local cleanup if remote fails" }, { "title": "List vaults", "body": "pass-cli vault list\npass-cli vault list --output json" }, { "title": "Create vault", "body": "pass-cli vault create --name \"Vault Name\"" }, { "title": "Update vault", "body": "# By share ID\npass-cli vault update --share-id \"abc123def\" --name \"New Name\"\n\n# By name\npass-cli vault update --vault-name \"Old Name\" --name \"New Name\"" }, { "title": "Delete vault", "body": "⚠️ Warning: Permanently deletes vault and all items.\n\n# By share ID\npass-cli vault delete --share-id \"abc123def\"\n\n# By name\npass-cli vault delete --vault-name \"Old Vault\"" }, { "title": "Share vault", "body": "# Share with viewer access (default)\npass-cli vault share --share-id \"abc123def\" colleague@company.com\n\n# Share with specific role\npass-cli vault share --vault-name \"Team Vault\" colleague@company.com --role editor\n\n# Roles: viewer, editor, manager" }, { "title": "Manage vault members", "body": "# List members\npass-cli vault member list --share-id \"abc123def\"\npass-cli vault member list --vault-name \"Team Vault\" --output json\n\n# Update member role\npass-cli vault member update --share-id \"abc123def\" --member-share-id \"member123\" --role editor\n\n# Remove member\npass-cli vault member remove --share-id \"abc123def\" --member-share-id \"member123\"" }, { "title": "Transfer vault ownership", "body": "pass-cli vault transfer --share-id \"abc123def\" \"member_share_id_xyz\"\npass-cli vault transfer --vault-name \"My Vault\" \"member_share_id_xyz\"" }, { "title": "List items", "body": "# List from specific vault\npass-cli item list \"Vault Name\"\npass-cli item list --share-id \"abc123def\"\n\n# List with default vault (if configured)\npass-cli item list" }, { "title": "View item", "body": "# By IDs\npass-cli item view --share-id \"abc123def\" --item-id \"item456\"\n\n# By names\npass-cli item view --vault-name \"MyVault\" --item-title \"MyItem\"\n\n# Using Pass URI\npass-cli item view \"pass://abc123def/item456\"\npass-cli item view \"pass://MyVault/MyItem\"\n\n# View specific field\npass-cli item view \"pass://abc123def/item456/password\"\npass-cli item view --share-id \"abc123def\" --item-id \"item456\" --field \"username\"\n\n# Output format\npass-cli item view --share-id \"abc123def\" --item-id \"item456\" --output json" }, { "title": "Create login item", "body": "# Basic login\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"GitHub Account\" \\\n --username \"myuser\" \\\n --password \"mypassword\" \\\n --url \"https://github.com\"\n\n# With vault name\npass-cli item create login \\\n --vault-name \"Personal\" \\\n --title \"Account\" \\\n --username \"user\" \\\n --email \"user@example.com\" \\\n --url \"https://example.com\"\n\n# With generated password\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"New Account\" \\\n --username \"myuser\" \\\n --generate-password \\\n --url \"https://example.com\"\n\n# Custom password generation: \"length,uppercase,symbols\"\npass-cli item create login \\\n --vault-name \"Work\" \\\n --title \"Secure Account\" \\\n --username \"myuser\" \\\n --generate-password=\"20,true,true\" \\\n --url \"https://example.com\"\n\n# Generate passphrase\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"Account\" \\\n --username \"user\" \\\n --generate-passphrase=\"5\" \\\n --url \"https://example.com\"\n\nLogin template\n\n# Get template structure\npass-cli item create login --get-template > template.json\n\n# Create from template\npass-cli item create login --from-template template.json --share-id \"abc123def\"\n\n# Create from stdin\necho '{\"title\":\"Test\",\"username\":\"user\",\"password\":\"pass\",\"urls\":[\"https://test.com\"]}' | \\\n pass-cli item create login --share-id \"abc123def\" --from-template -\n\nTemplate format:\n\n{\n \"title\": \"Item Title\",\n \"username\": \"optional_username\",\n \"email\": \"optional_email@example.com\",\n \"password\": \"optional_password\",\n \"urls\": [\"https://example.com\", \"https://app.example.com\"]\n}" }, { "title": "Create SSH key items", "body": "Generate new SSH key\n\n# Generate Ed25519 key (recommended)\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"GitHub Deploy Key\"\n\n# Using vault name\npass-cli item create ssh-key generate \\\n --vault-name \"Development Keys\" \\\n --title \"GitHub Deploy Key\"\n\n# Generate RSA 4096 key with comment\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Production Server\" \\\n --key-type rsa4096 \\\n --comment \"prod-server-deploy\"\n\n# Key types: ed25519 (default), rsa2048, rsa4096\n\n# With passphrase protection\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Secure Key\" \\\n --password\n\n# Passphrase from environment\nPROTON_PASS_SSH_KEY_PASSWORD=\"my-passphrase\" \\\n pass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Automated Key\" \\\n --password\n\nImport existing SSH key\n\n# Import unencrypted key\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"My SSH Key\"\n\n# Import with vault name\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_rsa \\\n --vault-name \"Personal Keys\" \\\n --title \"Old RSA Key\"\n\n# Import passphrase-protected key (will prompt)\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"Protected Key\" \\\n --password\n\n# Passphrase from environment\nPROTON_PASS_SSH_KEY_PASSWORD=\"my-key-passphrase\" \\\n pass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"Automated Import\" \\\n --password\n\nRecommendation: For importing passphrase-protected keys, consider removing the passphrase first since keys will be encrypted in your vault:\n\n# Create unencrypted copy\ncp ~/.ssh/id_ed25519 /tmp/id_ed25519_temp\nssh-keygen -p -f /tmp/id_ed25519_temp -N \"\"\n\n# Import\npass-cli item create ssh-key import \\\n --from-private-key /tmp/id_ed25519_temp \\\n --share-id \"abc123def\" \\\n --title \"My SSH Key\"\n\n# Securely delete temp copy\nshred -u /tmp/id_ed25519_temp # Linux\nrm -P /tmp/id_ed25519_temp # macOS" }, { "title": "Create email alias", "body": "# Create alias\npass-cli item alias create --share-id \"abc123def\" --prefix \"newsletter\"\npass-cli item alias create --vault-name \"Personal\" --prefix \"shopping\"\n\n# With JSON output\npass-cli item alias create --vault-name \"Personal\" --prefix \"temp\" --output json" }, { "title": "Update item", "body": "# Update single field\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"password=newpassword123\"\n\n# By vault name and item title\npass-cli item update \\\n --vault-name \"Personal\" \\\n --item-title \"GitHub Account\" \\\n --field \"password=newpassword123\"\n\n# Update multiple fields\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"username=newusername\" \\\n --field \"password=newpassword\" \\\n --field \"email=newemail@example.com\"\n\n# Rename item\npass-cli item update \\\n --vault-name \"Work\" \\\n --item-title \"Old Title\" \\\n --field \"title=New Title\"\n\n# Create/update custom fields\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"api_key=sk_live_abc123\" \\\n --field \"environment=production\"\n\nNote: Item update does not support TOTP or time fields. Use another Proton Pass client for those." }, { "title": "Delete item", "body": "⚠️ Warning: Permanent deletion.\n\npass-cli item delete --share-id \"abc123def\" --item-id \"item456\"" }, { "title": "Share item", "body": "# Share with viewer access (default)\npass-cli item share --share-id \"abc123def\" --item-id \"item456\" colleague@company.com\n\n# Share with editor access\npass-cli item share --share-id \"abc123def\" --item-id \"item456\" colleague@company.com --role editor" }, { "title": "Generate TOTP codes", "body": "# Generate all TOTPs for an item\npass-cli item totp \"pass://TOTP vault/WithTOTPs\"\n\n# Specific TOTP field\npass-cli item totp \"pass://TOTP vault/WithTOTPs/TOTP 1\"\n\n# JSON output\npass-cli item totp \"pass://TOTP vault/WithTOTPs\" --output json\n\n# Extract specific value\npass-cli item totp \"pass://TOTP vault/WithTOTPs/TOTP 1\" --output json | jq -r '.[\"TOTP 1\"]'" }, { "title": "Generate passwords", "body": "# Random password (default settings)\npass-cli password generate random\n\n# Custom random password\npass-cli password generate random --length 20 --numbers true --uppercase true --symbols true\n\n# Simple password without symbols\npass-cli password generate random --length 16 --symbols false\n\n# Generate passphrase\npass-cli password generate passphrase\n\n# Custom passphrase\npass-cli password generate passphrase --count 5\npass-cli password generate passphrase --count 4 --separator hyphens\npass-cli password generate passphrase --count 4 --capitalize true --numbers true" }, { "title": "Analyze password strength", "body": "# Score a password\npass-cli password score \"mypassword123\"\n\n# JSON output\npass-cli password score \"MySecureP@ssw0rd*\" --output json\n\nExample JSON output:\n\n{\n \"numeric_score\": 51.666666666666664,\n \"password_score\": \"Vulnerable\",\n \"penalties\": [\n \"ContainsCommonPassword\",\n \"Consecutive\"\n ]\n}" }, { "title": "Load SSH keys into existing agent", "body": "Load Proton Pass SSH keys into your existing SSH agent:\n\n# Load all SSH keys\npass-cli ssh-agent load\n\n# Load from specific vault\npass-cli ssh-agent load --share-id MY_SHARE_ID\npass-cli ssh-agent load --vault-name MySshKeysVault\n\nPrerequisite: Ensure SSH_AUTH_SOCK environment variable is defined." }, { "title": "Run Proton Pass CLI as SSH agent", "body": "Start Proton Pass CLI as a standalone SSH agent:\n\n# Start agent\npass-cli ssh-agent start\n\n# From specific vault\npass-cli ssh-agent start --share-id MY_SHARE_ID\npass-cli ssh-agent start --vault-name MySshKeysVault\n\n# Custom socket path\npass-cli ssh-agent start --socket-path /custom/path/agent.sock\n\n# Custom refresh interval (default 3600 seconds)\npass-cli ssh-agent start --refresh-interval 7200 # 2 hours\n\nAfter starting, export the socket:\n\nexport SSH_AUTH_SOCK=/Users/youruser/.ssh/proton-pass-agent.sock\n\nAuto-create SSH key items (v1.3.0+)\n\nAutomatically save SSH keys added via ssh-add:\n\n# Enable auto-creation\npass-cli ssh-agent start --create-new-identities MySshKeysVault\n\n# In another terminal\nexport SSH_AUTH_SOCK=$HOME/.ssh/proton-pass-agent.sock\nssh-add ~/.ssh/my_new_key\n# Key is now automatically saved to Proton Pass!" }, { "title": "Troubleshooting SSH", "body": "ssh-copy-id fails with many keys\n\nForce password authentication:\n\nssh-copy-id -o PreferredAuthentications=password -o PubkeyAuthentication=no user@server" }, { "title": "Pass URI Syntax (Secret References)", "body": "Reference secrets using the format: pass://vault/item/field" }, { "title": "Syntax", "body": "pass:////\n\nvault-identifier: Vault's Share ID or name\nitem-identifier: Item's ID or title\nfield-name: Specific field to retrieve (required)" }, { "title": "Examples", "body": "# By names\npass://Work/GitHub Account/password\npass://Personal/Email Login/username\n\n# By IDs\npass://AbCdEf123456/XyZ789/password\npass://ShareId123/ItemId456/api_key\n\n# Mixed (vault by name, item by ID)\npass://Work/XyZ789/password\n\n# Custom fields (case-sensitive)\npass://Work/API Keys/api_key\npass://Production/Database/connection_string" }, { "title": "Common fields", "body": "username - Username/login name\npassword - Password\nemail - Email address\nurl - Website URL\nnote - Additional notes\ntotp - TOTP secret (for 2FA)\nCustom fields with any name (case-sensitive)" }, { "title": "Rules", "body": "All three components (vault/item/field) are required\nNames with spaces are supported\nResolution is case-sensitive\nIf duplicates exist, first match is used (prefer IDs for precision)\n\nInvalid formats:\n\npass://vault/item # Missing field name\npass://vault/item/ # Trailing slash\npass://vault/ # Missing item and field" }, { "title": "Run commands with secrets (run)", "body": "Execute commands with secrets from Proton Pass injected as environment variables.\n\nSynopsis:\n\npass-cli run [--env-file FILE]... [--no-masking] -- COMMAND [ARGS...]\n\nHow it works:\n\nCollects environment variables from current process and .env files\nScans for pass:// URIs in variable values\nResolves secrets from Proton Pass\nReplaces URIs with actual secret values\nMasks secrets in output (unless --no-masking)\nExecutes command with resolved environment\nForwards stdin/stdout/stderr and signals (SIGTERM/SIGINT)\n\nArguments:\n\n--env-file FILE - Load environment variables from dotenv file (can specify multiple, processed in order)\n--no-masking - Disable automatic masking of secrets in output\nCOMMAND [ARGS...] - Command to execute (must come after --)\n\nBasic usage\n\n# Set secret reference in environment\nexport DB_PASSWORD='pass://Production/Database/password'\n\n# Run application with injected secret\npass-cli run -- ./my-app\n\nUsing .env files\n\nCreate .env:\n\nDB_HOST=localhost\nDB_PORT=5432\nDB_USERNAME=admin\nDB_PASSWORD=pass://Production/Database/password\nAPI_KEY=pass://Work/External API/api_key\n\nRun:\n\npass-cli run --env-file .env -- ./my-app\n\n# Multiple env files (later override earlier)\npass-cli run \\\n --env-file base.env \\\n --env-file secrets.env \\\n --env-file local.env \\\n -- ./my-app\n\nMultiple secrets in single value\n\n# Mix secrets with plain text\nDATABASE_URL=\"postgresql://user:pass://vault/db/password@localhost/db\"\nAPI_ENDPOINT=\"https://api.example.com?key=pass://vault/api/key\"\n\nSecret masking\n\nDefault (masked):\n\npass-cli run -- ./my-app\n# If app logs: API_KEY: sk_live_abc123\n# Output shows: API_KEY: \n\nUnmasked:\n\npass-cli run --no-masking -- ./my-app\n\nRunning with arguments\n\npass-cli run -- ./my-app --config production --verbose\n\nCI/CD integration\n\n#!/bin/bash\n# Load production secrets\npass-cli run --env-file .env.production -- ./deploy.sh" }, { "title": "Inject secrets into templates (inject)", "body": "Process template files and replace secret references with actual values using handlebars-style syntax.\n\nSynopsis:\n\npass-cli inject [--in-file FILE] [--out-file FILE] [--force] [--file-mode MODE]\n\nHow it works:\n\nReads template from --in-file or stdin\nFinds {{ pass://vault/item/field }} patterns\nResolves secrets from Proton Pass\nReplaces references with actual values\nOutputs to --out-file or stdout\nSets file permissions (Unix)\n\nArguments:\n\n--in-file, -i - Path to template file (or stdin)\n--out-file, -o - Path to write output (or stdout)\n--force, -f - Overwrite output file without prompting\n--file-mode - Set file permissions (Unix, default: 0600)\n\nTemplate syntax\n\nImportant: Use double braces {{ }} (unlike run which uses bare pass://)\n\n# config.yaml.template\ndatabase:\n host: localhost\n username: {{ pass://Production/Database/username }}\n password: {{ pass://Production/Database/password }}\n\napi:\n key: {{ pass://Work/API Keys/api_key }}\n secret: {{ pass://Work/API Keys/secret }}\n\n# This comment with pass://fake/uri is ignored\n# Only {{ }} wrapped references are processed\n\nInject to stdout\n\npass-cli inject --in-file config.yaml.template\n\nInject to file\n\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml\n\n# Overwrite existing\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml \\\n --force\n\nRead from stdin\n\ncat template.txt | pass-cli inject\n\n# Or with heredoc\npass-cli inject << EOF\n{\n \"database\": {\n \"password\": \"{{ pass://Production/Database/password }}\"\n }\n}\nEOF\n\nCustom file permissions\n\npass-cli inject \\\n --in-file template.txt \\\n --out-file config.txt \\\n --file-mode 0644\n\nJSON template example\n\n{\n \"database\": {\n \"host\": \"localhost\",\n \"password\": \"{{ pass://Production/Database/password }}\"\n },\n \"api\": {\n \"key\": \"{{ pass://Work/API/key }}\"\n }\n}" }, { "title": "Settings Management", "body": "Configure persistent preferences:" }, { "title": "View settings", "body": "pass-cli settings view" }, { "title": "Set default vault", "body": "# By name\npass-cli settings set default-vault --vault-name \"Personal Vault\"\n\n# By share ID\npass-cli settings set default-vault --share-id \"3GqM1RhVZL8uXR_abc123\"\n\nAffected commands: item list, item view, item totp, item create, item update, etc." }, { "title": "Set default output format", "body": "pass-cli settings set default-format human\npass-cli settings set default-format json\n\nAffected commands: item list, item view, item totp, vault list, etc." }, { "title": "Unset defaults", "body": "pass-cli settings unset default-vault\npass-cli settings unset default-format" }, { "title": "List all shares", "body": "pass-cli share list\npass-cli share list --output json\n\nShows all resources (vaults and items) shared with you and your role." }, { "title": "List pending invitations", "body": "pass-cli invite list\npass-cli invite list --output json" }, { "title": "Accept invitation", "body": "pass-cli invite accept --invite-token \"abc123def456\"" }, { "title": "Reject invitation", "body": "pass-cli invite reject --invite-token \"abc123def456\"" }, { "title": "View session info", "body": "pass-cli info\n\nShows: Release track, User ID, Username, Email." }, { "title": "View detailed user info", "body": "pass-cli user info\npass-cli user info --output json\n\nShows: Account details, subscription, storage usage." }, { "title": "Test connection", "body": "pass-cli test\n\nVerifies session validity and API connectivity." }, { "title": "Updates", "body": "Note: Only for manual installations (not package managers)." }, { "title": "Update to latest version", "body": "pass-cli update\npass-cli update --yes # Skip confirmation" }, { "title": "Change release track", "body": "# Switch to beta\npass-cli update --set-track beta\npass-cli update\n\n# Switch back to stable\npass-cli update --set-track stable\npass-cli update" }, { "title": "Disable automatic update checks", "body": "export PROTON_PASS_NO_UPDATE_CHECK=1" }, { "title": "Share", "body": "A Share represents the relationship between a user and a resource (vault or item). Defines access and permissions.\n\nVault shares: Access to entire vault and all items within it\nItem shares: Access to a single specific item only\nRoles:\n\nViewer: Read-only access\nEditor: Read and write, can manage items (but not share or manage members)\nManager: Full control including sharing and member management\nOwner: Created the vault, only one who can delete it" }, { "title": "Vault", "body": "A container that organizes items. Items exist in exactly one vault." }, { "title": "Item Types", "body": "Login: Username/password credentials with URLs, TOTP support\nNote: Secure text notes\nCredit Card: Payment card information (encrypted)\nIdentity: Personal information about a person\nAlias: Email aliases for privacy protection\nSSH Key: SSH private keys for authentication\nWifi: Credentials to access a WiFi network\n\nNote: Items are identified by Item ID, but this ID is only unique when combined with Share ID (ShareID + ItemID = globally unique)." }, { "title": "Security", "body": "Use web login for maximum compatibility (SSO, U2F)\nGenerate unique passwords for each account\nUse SSH keys stored in Pass instead of local filesystem\nLogout on shared systems\nRegularly review share permissions" }, { "title": "Organization", "body": "Create separate vaults for different contexts (work, personal)\nUse descriptive titles for items and vaults\nSet default vault for frequently used vault\nConfigure default output format (JSON for scripts, human for interactive)" }, { "title": "Automation", "body": "Store credentials in files (not env vars) for better security\nUse Pass URIs for programmatic secret access\nLeverage JSON output for scripting\nInclude pass-cli logout in automation cleanup" }, { "title": "Sharing", "body": "Use principle of least privilege (start with viewer)\nPrefer vault shares for ongoing collaboration\nUse item shares for specific, limited access\nRegularly audit members and permissions" }, { "title": "Docker Usage", "body": "Running in Docker containers requires filesystem key storage (keyring unavailable):\n\n# 1. Ensure logged out\npass-cli logout --force\n\n# 2. Set filesystem key provider\nexport PROTON_PASS_KEY_PROVIDER=fs\n\n# 3. Login as normal\npass-cli login\n\nWhy filesystem storage?\n\nContainers cannot access kernel secret service\nD-Bus unavailable in headless environments\nFilesystem storage is the only option\n\n⚠️ Security note: Key stored side-by-side with encrypted data. Secure your container environment." }, { "title": "Authentication issues", "body": "# Check session status\npass-cli info\npass-cli test\n\n# Re-authenticate\npass-cli logout\npass-cli login" }, { "title": "Network issues", "body": "Verify internet connectivity\nCheck firewall settings for Proton domains\nTest with pass-cli test" }, { "title": "Permission errors", "body": "Verify your role: pass-cli share list\nEnsure you have required permissions for the operation\nContact vault owner to adjust permissions" }, { "title": "Missing resources", "body": "Check you're looking in the right vault\nVerify resource hasn't been deleted\nConfirm access hasn't been revoked\nCheck pending invitations: pass-cli invite list" }, { "title": "Secret reference resolution errors", "body": "\"Invalid reference format\":\n\nEnsure format is pass://vault/item/field\nCheck for trailing slashes\nVerify all three components present\n\n\"Secret reference requires a field name\":\n\nAdd field name: pass://vault/item/field (not pass://vault/item)\n\n\"Field not found\":\n\nVerify field exists: pass-cli item view --share-id --item-id \nCheck field name spelling (case-sensitive)\n\nReference not found:\n\nCheck vault access: pass-cli vault list\nVerify item exists: pass-cli item list --share-id \nConfirm field name: pass-cli item view " }, { "title": "Logging", "body": "# Levels: trace, debug, info, warn, error, off\nexport PASS_LOG_LEVEL=debug\n\nNote: Logs are sent to stderr (won't interfere with piping/command integration)." }, { "title": "Session storage", "body": "Default locations:\n\nmacOS: ~/Library/Application Support/proton-pass-cli/.session/\nLinux: ~/.local/share/proton-pass-cli/.session/\n\nOverride:\n\nexport PROTON_PASS_SESSION_DIR='/custom/path'" }, { "title": "Key storage providers", "body": "Control how encryption keys are stored with PROTON_PASS_KEY_PROVIDER:\n\n1. Keyring storage (default, most secure)\n\nexport PROTON_PASS_KEY_PROVIDER=keyring # or unset\n\nUses OS secure storage:\n\nmacOS: macOS Keychain\nLinux: Kernel-based secret storage (kernel keyring)\nWindows: Windows Credential Manager\n\nHow it works:\n\nGenerates random 256-bit key on first run\nStores in system keyring\nRetrieves on subsequent runs\nIf keyring unavailable but session exists, forces logout for security\n\nLinux note: Uses kernel keyring (no D-Bus required), works in headless environments. Secrets cleared on reboot.\n\nDocker limitation: Containers cannot access kernel secret service. Use filesystem storage instead.\n\n2. Filesystem storage\n\n⚠️ Warning: Less secure - key stored side-by-side with encrypted data.\n\nexport PROTON_PASS_KEY_PROVIDER=fs\n\nStores key in /local.key with permissions 0600.\n\nAdvantages:\n\nWorks in all environments (headless, containers)\nSurvives reboots\nNo dependency on system services\n\nWhen to use:\n\nDocker containers\nDevelopment/testing\nWhen system keyring unavailable\n\n3. Environment variable storage\n\n⚠️ Warning: Key visible to other processes in same session.\n\nexport PROTON_PASS_KEY_PROVIDER=env\nexport PROTON_PASS_ENCRYPTION_KEY=your-secret-key\n\nDerives encryption key from PROTON_PASS_ENCRYPTION_KEY (must be set and non-empty).\n\nGenerate safe key:\n\ndd if=/dev/urandom bs=1 count=2048 2>/dev/null | sha256sum | awk '{print $1}'\n\nAdvantages:\n\nPortable across all environments\nNo filesystem/keyring dependency\nUser controls key value\nWorks in CI/CD, containers, headless\n\nWhen to use:\n\nCI/CD pipelines\nContainers where filesystem persistence undesirable\nAutomation scripts\nExplicit control over encryption key needed" }, { "title": "Telemetry", "body": "Disable telemetry:\n\nexport PROTON_PASS_DISABLE_TELEMETRY=1\n\nOr globally: Account security settings → Disable \"Collect usage diagnostics\"\n\nWhat's sent: Anonymized usage data (e.g., \"item created of type note\") - never personal/sensitive data." }, { "title": "Login credentials (interactive login)", "body": "export PROTON_PASS_PASSWORD='password'\nexport PROTON_PASS_PASSWORD_FILE='/path/to/file'\nexport PROTON_PASS_TOTP='123456'\nexport PROTON_PASS_TOTP_FILE='/path/to/file'\nexport PROTON_PASS_EXTRA_PASSWORD='extra-password'\nexport PROTON_PASS_EXTRA_PASSWORD_FILE='/path/to/file'" }, { "title": "SSH key passphrase", "body": "export PROTON_PASS_SSH_KEY_PASSWORD='passphrase'\nexport PROTON_PASS_SSH_KEY_PASSWORD_FILE='/path/to/file'" }, { "title": "Update checks", "body": "export PROTON_PASS_NO_UPDATE_CHECK=1" }, { "title": "Installation", "body": "export PROTON_PASS_CLI_INSTALL_DIR=/custom/path\nexport PROTON_PASS_CLI_INSTALL_CHANNEL=beta" }, { "title": "Create and populate a new vault", "body": "# Create vault\npass-cli vault create --name \"Project Alpha\"\n\n# List to get share ID\npass-cli vault list\n\n# Create login items\npass-cli item create login \\\n --share-id \"new_vault_id\" \\\n --title \"API Key\" \\\n --username \"api_user\" \\\n --generate-password \\\n --url \"https://api.example.com\"\n\n# Share with team\npass-cli vault share --share-id \"new_vault_id\" alice@team.com --role editor" }, { "title": "Import and use SSH keys", "body": "# Import existing key\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --vault-name \"SSH Keys\" \\\n --title \"GitHub Key\"\n\n# Load into SSH agent\npass-cli ssh-agent load --vault-name \"SSH Keys\"\n\n# Or start Pass as SSH agent\npass-cli ssh-agent start --vault-name \"SSH Keys\"\nexport SSH_AUTH_SOCK=$HOME/.ssh/proton-pass-agent.sock" }, { "title": "Scripted access to secrets", "body": "#!/bin/bash\n# Automated login\nexport PROTON_PASS_PASSWORD_FILE=\"$HOME/.secrets/pass-password\"\npass-cli login --interactive user@proton.me\n\n# Retrieve secret\nDB_PASSWORD=$(pass-cli item view \"pass://Production/Database/password\" --output json | jq -r '.password')\n\n# Use secret\nconnect-to-db --password \"$DB_PASSWORD\"\n\n# Cleanup\npass-cli logout" }, { "title": "Application deployment with secrets", "body": "#!/bin/bash\n# Create .env.production with secret references\ncat > .env.production << EOF\nNODE_ENV=production\nDATABASE_URL=pass://Production/Database/connection_string\nAPI_KEY=pass://Production/API/key\nSTRIPE_SECRET=pass://Production/Stripe/secret_key\nEOF\n\n# Deploy application with secrets injected\npass-cli run --env-file .env.production -- npm start\n\n# Or generate config file from template\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml \\\n --force\n\n# Then run app with generated config\n./app --config config.yaml" }, { "title": "CI/CD pipeline integration", "body": "#!/bin/bash\n# Login with environment variable key storage\nexport PROTON_PASS_KEY_PROVIDER=env\nexport PROTON_PASS_ENCRYPTION_KEY=\"${CI_PASS_ENCRYPTION_KEY}\"\nexport PROTON_PASS_PASSWORD_FILE=/run/secrets/pass-password\n\npass-cli login --interactive user@proton.me\n\n# Run tests with secrets\npass-cli run --env-file .env.test -- npm test\n\n# Deploy with secrets\npass-cli run --env-file .env.production -- ./deploy.sh\n\n# Cleanup\npass-cli logout" }, { "title": "Notes", "body": "Beta status: Proton Pass CLI is currently in beta\nTrack switching: Only available for manual installations (not package managers)\nItem update limitations: Cannot update TOTP or time fields via CLI\nPassphrase recommendations: Passphrases optional for generated keys (already encrypted in vault)\nSSH agent refresh: Default 1 hour, customizable with --refresh-interval\nDocker containers: Must use filesystem key storage (PROTON_PASS_KEY_PROVIDER=fs)\nLinux keyring: Uses kernel keyring (no D-Bus), secrets cleared on reboot\nTelemetry: Anonymized only (no personal data), can be disabled\nSecret masking: Automatically masks secrets in run command output\nTemplate syntax: inject requires {{ }} braces, run uses bare pass:// URIs\nItem ID uniqueness: Item ID only unique when combined with Share ID" }, { "title": "Command Reference Quick List", "body": "Authentication:\n\nlogin, logout, info, test\n\nVault:\n\nvault list, vault create, vault update, vault delete, vault share, vault member, vault transfer\n\nItem:\n\nitem list, item view, item create, item update, item delete, item share, item totp, item alias, item attachment\n\nSecret Injection:\n\nrun - Execute commands with secrets injected as environment variables\ninject - Process template files with secret references\n\nPassword:\n\npassword generate, password score\n\nSSH:\n\nssh-agent load, ssh-agent start\n\nSettings:\n\nsettings view, settings set, settings unset\n\nShare & Invite:\n\nshare list, invite list, invite accept, invite reject\n\nUser:\n\nuser info\n\nUpdate:\n\nupdate" } ], "body": "Proton Pass CLI\n\nComprehensive password and secret management via the Proton Pass CLI. Manage vaults, items, SSH keys, share credentials, inject secrets, and integrate with SSH workflows.\n\nInstallation\nQuick install\n\nmacOS/Linux:\n\ncurl -fsSL https://proton.me/download/pass-cli/install.sh | bash\n\n\nWindows:\n\nInvoke-WebRequest -Uri https://proton.me/download/pass-cli/install.ps1 -OutFile install.ps1; .\\install.ps1\n\nHomebrew (macOS)\nbrew install protonpass/tap/pass-cli\n\n\nNote: Package manager installations (Homebrew, etc.) do not support pass-cli update command or track switching.\n\nVerify installation\npass-cli --version\n\nAuthentication\nWeb login (recommended)\n\nDefault authentication method supporting all login flows (SSO, U2F):\n\npass-cli login\n# Open the URL displayed in your browser and complete authentication\n\nInteractive login\n\nTerminal-based authentication (supports password + TOTP, but not SSO or U2F):\n\npass-cli login --interactive user@proton.me\n\nEnvironment variables for automation\n# Credentials as plain text (less secure)\nexport PROTON_PASS_PASSWORD='your-password'\nexport PROTON_PASS_TOTP='123456'\nexport PROTON_PASS_EXTRA_PASSWORD='your-extra-password'\n\n# Or from files (more secure)\nexport PROTON_PASS_PASSWORD_FILE='/secure/password.txt'\nexport PROTON_PASS_TOTP_FILE='/secure/totp.txt'\nexport PROTON_PASS_EXTRA_PASSWORD_FILE='/secure/extra-password.txt'\n\npass-cli login --interactive user@proton.me\n\nVerify session\npass-cli info # Show session info\npass-cli test # Test connection\n\nLogout\npass-cli logout # Normal logout\npass-cli logout --force # Force local cleanup if remote fails\n\nVault Management\nList vaults\npass-cli vault list\npass-cli vault list --output json\n\nCreate vault\npass-cli vault create --name \"Vault Name\"\n\nUpdate vault\n# By share ID\npass-cli vault update --share-id \"abc123def\" --name \"New Name\"\n\n# By name\npass-cli vault update --vault-name \"Old Name\" --name \"New Name\"\n\nDelete vault\n\n⚠️ Warning: Permanently deletes vault and all items.\n\n# By share ID\npass-cli vault delete --share-id \"abc123def\"\n\n# By name\npass-cli vault delete --vault-name \"Old Vault\"\n\nShare vault\n# Share with viewer access (default)\npass-cli vault share --share-id \"abc123def\" colleague@company.com\n\n# Share with specific role\npass-cli vault share --vault-name \"Team Vault\" colleague@company.com --role editor\n\n# Roles: viewer, editor, manager\n\nManage vault members\n# List members\npass-cli vault member list --share-id \"abc123def\"\npass-cli vault member list --vault-name \"Team Vault\" --output json\n\n# Update member role\npass-cli vault member update --share-id \"abc123def\" --member-share-id \"member123\" --role editor\n\n# Remove member\npass-cli vault member remove --share-id \"abc123def\" --member-share-id \"member123\"\n\nTransfer vault ownership\npass-cli vault transfer --share-id \"abc123def\" \"member_share_id_xyz\"\npass-cli vault transfer --vault-name \"My Vault\" \"member_share_id_xyz\"\n\nItem Management\nList items\n# List from specific vault\npass-cli item list \"Vault Name\"\npass-cli item list --share-id \"abc123def\"\n\n# List with default vault (if configured)\npass-cli item list\n\nView item\n# By IDs\npass-cli item view --share-id \"abc123def\" --item-id \"item456\"\n\n# By names\npass-cli item view --vault-name \"MyVault\" --item-title \"MyItem\"\n\n# Using Pass URI\npass-cli item view \"pass://abc123def/item456\"\npass-cli item view \"pass://MyVault/MyItem\"\n\n# View specific field\npass-cli item view \"pass://abc123def/item456/password\"\npass-cli item view --share-id \"abc123def\" --item-id \"item456\" --field \"username\"\n\n# Output format\npass-cli item view --share-id \"abc123def\" --item-id \"item456\" --output json\n\nCreate login item\n# Basic login\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"GitHub Account\" \\\n --username \"myuser\" \\\n --password \"mypassword\" \\\n --url \"https://github.com\"\n\n# With vault name\npass-cli item create login \\\n --vault-name \"Personal\" \\\n --title \"Account\" \\\n --username \"user\" \\\n --email \"user@example.com\" \\\n --url \"https://example.com\"\n\n# With generated password\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"New Account\" \\\n --username \"myuser\" \\\n --generate-password \\\n --url \"https://example.com\"\n\n# Custom password generation: \"length,uppercase,symbols\"\npass-cli item create login \\\n --vault-name \"Work\" \\\n --title \"Secure Account\" \\\n --username \"myuser\" \\\n --generate-password=\"20,true,true\" \\\n --url \"https://example.com\"\n\n# Generate passphrase\npass-cli item create login \\\n --share-id \"abc123def\" \\\n --title \"Account\" \\\n --username \"user\" \\\n --generate-passphrase=\"5\" \\\n --url \"https://example.com\"\n\nLogin template\n# Get template structure\npass-cli item create login --get-template > template.json\n\n# Create from template\npass-cli item create login --from-template template.json --share-id \"abc123def\"\n\n# Create from stdin\necho '{\"title\":\"Test\",\"username\":\"user\",\"password\":\"pass\",\"urls\":[\"https://test.com\"]}' | \\\n pass-cli item create login --share-id \"abc123def\" --from-template -\n\n\nTemplate format:\n\n{\n \"title\": \"Item Title\",\n \"username\": \"optional_username\",\n \"email\": \"optional_email@example.com\",\n \"password\": \"optional_password\",\n \"urls\": [\"https://example.com\", \"https://app.example.com\"]\n}\n\nCreate SSH key items\nGenerate new SSH key\n# Generate Ed25519 key (recommended)\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"GitHub Deploy Key\"\n\n# Using vault name\npass-cli item create ssh-key generate \\\n --vault-name \"Development Keys\" \\\n --title \"GitHub Deploy Key\"\n\n# Generate RSA 4096 key with comment\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Production Server\" \\\n --key-type rsa4096 \\\n --comment \"prod-server-deploy\"\n\n# Key types: ed25519 (default), rsa2048, rsa4096\n\n# With passphrase protection\npass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Secure Key\" \\\n --password\n\n# Passphrase from environment\nPROTON_PASS_SSH_KEY_PASSWORD=\"my-passphrase\" \\\n pass-cli item create ssh-key generate \\\n --share-id \"abc123def\" \\\n --title \"Automated Key\" \\\n --password\n\nImport existing SSH key\n# Import unencrypted key\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"My SSH Key\"\n\n# Import with vault name\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_rsa \\\n --vault-name \"Personal Keys\" \\\n --title \"Old RSA Key\"\n\n# Import passphrase-protected key (will prompt)\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"Protected Key\" \\\n --password\n\n# Passphrase from environment\nPROTON_PASS_SSH_KEY_PASSWORD=\"my-key-passphrase\" \\\n pass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --share-id \"abc123def\" \\\n --title \"Automated Import\" \\\n --password\n\n\nRecommendation: For importing passphrase-protected keys, consider removing the passphrase first since keys will be encrypted in your vault:\n\n# Create unencrypted copy\ncp ~/.ssh/id_ed25519 /tmp/id_ed25519_temp\nssh-keygen -p -f /tmp/id_ed25519_temp -N \"\"\n\n# Import\npass-cli item create ssh-key import \\\n --from-private-key /tmp/id_ed25519_temp \\\n --share-id \"abc123def\" \\\n --title \"My SSH Key\"\n\n# Securely delete temp copy\nshred -u /tmp/id_ed25519_temp # Linux\nrm -P /tmp/id_ed25519_temp # macOS\n\nCreate email alias\n# Create alias\npass-cli item alias create --share-id \"abc123def\" --prefix \"newsletter\"\npass-cli item alias create --vault-name \"Personal\" --prefix \"shopping\"\n\n# With JSON output\npass-cli item alias create --vault-name \"Personal\" --prefix \"temp\" --output json\n\nUpdate item\n# Update single field\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"password=newpassword123\"\n\n# By vault name and item title\npass-cli item update \\\n --vault-name \"Personal\" \\\n --item-title \"GitHub Account\" \\\n --field \"password=newpassword123\"\n\n# Update multiple fields\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"username=newusername\" \\\n --field \"password=newpassword\" \\\n --field \"email=newemail@example.com\"\n\n# Rename item\npass-cli item update \\\n --vault-name \"Work\" \\\n --item-title \"Old Title\" \\\n --field \"title=New Title\"\n\n# Create/update custom fields\npass-cli item update \\\n --share-id \"abc123def\" \\\n --item-id \"item456\" \\\n --field \"api_key=sk_live_abc123\" \\\n --field \"environment=production\"\n\n\nNote: Item update does not support TOTP or time fields. Use another Proton Pass client for those.\n\nDelete item\n\n⚠️ Warning: Permanent deletion.\n\npass-cli item delete --share-id \"abc123def\" --item-id \"item456\"\n\nShare item\n# Share with viewer access (default)\npass-cli item share --share-id \"abc123def\" --item-id \"item456\" colleague@company.com\n\n# Share with editor access\npass-cli item share --share-id \"abc123def\" --item-id \"item456\" colleague@company.com --role editor\n\nGenerate TOTP codes\n# Generate all TOTPs for an item\npass-cli item totp \"pass://TOTP vault/WithTOTPs\"\n\n# Specific TOTP field\npass-cli item totp \"pass://TOTP vault/WithTOTPs/TOTP 1\"\n\n# JSON output\npass-cli item totp \"pass://TOTP vault/WithTOTPs\" --output json\n\n# Extract specific value\npass-cli item totp \"pass://TOTP vault/WithTOTPs/TOTP 1\" --output json | jq -r '.[\"TOTP 1\"]'\n\nPassword Generation & Analysis\nGenerate passwords\n# Random password (default settings)\npass-cli password generate random\n\n# Custom random password\npass-cli password generate random --length 20 --numbers true --uppercase true --symbols true\n\n# Simple password without symbols\npass-cli password generate random --length 16 --symbols false\n\n# Generate passphrase\npass-cli password generate passphrase\n\n# Custom passphrase\npass-cli password generate passphrase --count 5\npass-cli password generate passphrase --count 4 --separator hyphens\npass-cli password generate passphrase --count 4 --capitalize true --numbers true\n\nAnalyze password strength\n# Score a password\npass-cli password score \"mypassword123\"\n\n# JSON output\npass-cli password score \"MySecureP@ssw0rd*\" --output json\n\n\nExample JSON output:\n\n{\n \"numeric_score\": 51.666666666666664,\n \"password_score\": \"Vulnerable\",\n \"penalties\": [\n \"ContainsCommonPassword\",\n \"Consecutive\"\n ]\n}\n\nSSH Agent Integration\nLoad SSH keys into existing agent\n\nLoad Proton Pass SSH keys into your existing SSH agent:\n\n# Load all SSH keys\npass-cli ssh-agent load\n\n# Load from specific vault\npass-cli ssh-agent load --share-id MY_SHARE_ID\npass-cli ssh-agent load --vault-name MySshKeysVault\n\n\nPrerequisite: Ensure SSH_AUTH_SOCK environment variable is defined.\n\nRun Proton Pass CLI as SSH agent\n\nStart Proton Pass CLI as a standalone SSH agent:\n\n# Start agent\npass-cli ssh-agent start\n\n# From specific vault\npass-cli ssh-agent start --share-id MY_SHARE_ID\npass-cli ssh-agent start --vault-name MySshKeysVault\n\n# Custom socket path\npass-cli ssh-agent start --socket-path /custom/path/agent.sock\n\n# Custom refresh interval (default 3600 seconds)\npass-cli ssh-agent start --refresh-interval 7200 # 2 hours\n\n\nAfter starting, export the socket:\n\nexport SSH_AUTH_SOCK=/Users/youruser/.ssh/proton-pass-agent.sock\n\nAuto-create SSH key items (v1.3.0+)\n\nAutomatically save SSH keys added via ssh-add:\n\n# Enable auto-creation\npass-cli ssh-agent start --create-new-identities MySshKeysVault\n\n# In another terminal\nexport SSH_AUTH_SOCK=$HOME/.ssh/proton-pass-agent.sock\nssh-add ~/.ssh/my_new_key\n# Key is now automatically saved to Proton Pass!\n\nTroubleshooting SSH\nssh-copy-id fails with many keys\n\nForce password authentication:\n\nssh-copy-id -o PreferredAuthentications=password -o PubkeyAuthentication=no user@server\n\nPass URI Syntax (Secret References)\n\nReference secrets using the format: pass://vault/item/field\n\nSyntax\npass:////\n\nvault-identifier: Vault's Share ID or name\nitem-identifier: Item's ID or title\nfield-name: Specific field to retrieve (required)\nExamples\n# By names\npass://Work/GitHub Account/password\npass://Personal/Email Login/username\n\n# By IDs\npass://AbCdEf123456/XyZ789/password\npass://ShareId123/ItemId456/api_key\n\n# Mixed (vault by name, item by ID)\npass://Work/XyZ789/password\n\n# Custom fields (case-sensitive)\npass://Work/API Keys/api_key\npass://Production/Database/connection_string\n\nCommon fields\nusername - Username/login name\npassword - Password\nemail - Email address\nurl - Website URL\nnote - Additional notes\ntotp - TOTP secret (for 2FA)\nCustom fields with any name (case-sensitive)\nRules\nAll three components (vault/item/field) are required\nNames with spaces are supported\nResolution is case-sensitive\nIf duplicates exist, first match is used (prefer IDs for precision)\n\nInvalid formats:\n\npass://vault/item # Missing field name\npass://vault/item/ # Trailing slash\npass://vault/ # Missing item and field\n\nSecret Injection\nRun commands with secrets (run)\n\nExecute commands with secrets from Proton Pass injected as environment variables.\n\nSynopsis:\n\npass-cli run [--env-file FILE]... [--no-masking] -- COMMAND [ARGS...]\n\n\nHow it works:\n\nCollects environment variables from current process and .env files\nScans for pass:// URIs in variable values\nResolves secrets from Proton Pass\nReplaces URIs with actual secret values\nMasks secrets in output (unless --no-masking)\nExecutes command with resolved environment\nForwards stdin/stdout/stderr and signals (SIGTERM/SIGINT)\n\nArguments:\n\n--env-file FILE - Load environment variables from dotenv file (can specify multiple, processed in order)\n--no-masking - Disable automatic masking of secrets in output\nCOMMAND [ARGS...] - Command to execute (must come after --)\nBasic usage\n# Set secret reference in environment\nexport DB_PASSWORD='pass://Production/Database/password'\n\n# Run application with injected secret\npass-cli run -- ./my-app\n\nUsing .env files\n\nCreate .env:\n\nDB_HOST=localhost\nDB_PORT=5432\nDB_USERNAME=admin\nDB_PASSWORD=pass://Production/Database/password\nAPI_KEY=pass://Work/External API/api_key\n\n\nRun:\n\npass-cli run --env-file .env -- ./my-app\n\n# Multiple env files (later override earlier)\npass-cli run \\\n --env-file base.env \\\n --env-file secrets.env \\\n --env-file local.env \\\n -- ./my-app\n\nMultiple secrets in single value\n# Mix secrets with plain text\nDATABASE_URL=\"postgresql://user:pass://vault/db/password@localhost/db\"\nAPI_ENDPOINT=\"https://api.example.com?key=pass://vault/api/key\"\n\nSecret masking\n\nDefault (masked):\n\npass-cli run -- ./my-app\n# If app logs: API_KEY: sk_live_abc123\n# Output shows: API_KEY: \n\n\nUnmasked:\n\npass-cli run --no-masking -- ./my-app\n\nRunning with arguments\npass-cli run -- ./my-app --config production --verbose\n\nCI/CD integration\n#!/bin/bash\n# Load production secrets\npass-cli run --env-file .env.production -- ./deploy.sh\n\nInject secrets into templates (inject)\n\nProcess template files and replace secret references with actual values using handlebars-style syntax.\n\nSynopsis:\n\npass-cli inject [--in-file FILE] [--out-file FILE] [--force] [--file-mode MODE]\n\n\nHow it works:\n\nReads template from --in-file or stdin\nFinds {{ pass://vault/item/field }} patterns\nResolves secrets from Proton Pass\nReplaces references with actual values\nOutputs to --out-file or stdout\nSets file permissions (Unix)\n\nArguments:\n\n--in-file, -i - Path to template file (or stdin)\n--out-file, -o - Path to write output (or stdout)\n--force, -f - Overwrite output file without prompting\n--file-mode - Set file permissions (Unix, default: 0600)\nTemplate syntax\n\nImportant: Use double braces {{ }} (unlike run which uses bare pass://)\n\n# config.yaml.template\ndatabase:\n host: localhost\n username: {{ pass://Production/Database/username }}\n password: {{ pass://Production/Database/password }}\n\napi:\n key: {{ pass://Work/API Keys/api_key }}\n secret: {{ pass://Work/API Keys/secret }}\n\n# This comment with pass://fake/uri is ignored\n# Only {{ }} wrapped references are processed\n\nInject to stdout\npass-cli inject --in-file config.yaml.template\n\nInject to file\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml\n\n# Overwrite existing\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml \\\n --force\n\nRead from stdin\ncat template.txt | pass-cli inject\n\n# Or with heredoc\npass-cli inject << EOF\n{\n \"database\": {\n \"password\": \"{{ pass://Production/Database/password }}\"\n }\n}\nEOF\n\nCustom file permissions\npass-cli inject \\\n --in-file template.txt \\\n --out-file config.txt \\\n --file-mode 0644\n\nJSON template example\n{\n \"database\": {\n \"host\": \"localhost\",\n \"password\": \"{{ pass://Production/Database/password }}\"\n },\n \"api\": {\n \"key\": \"{{ pass://Work/API/key }}\"\n }\n}\n\nSettings Management\n\nConfigure persistent preferences:\n\nView settings\npass-cli settings view\n\nSet default vault\n# By name\npass-cli settings set default-vault --vault-name \"Personal Vault\"\n\n# By share ID\npass-cli settings set default-vault --share-id \"3GqM1RhVZL8uXR_abc123\"\n\n\nAffected commands: item list, item view, item totp, item create, item update, etc.\n\nSet default output format\npass-cli settings set default-format human\npass-cli settings set default-format json\n\n\nAffected commands: item list, item view, item totp, vault list, etc.\n\nUnset defaults\npass-cli settings unset default-vault\npass-cli settings unset default-format\n\nShare Management\nList all shares\npass-cli share list\npass-cli share list --output json\n\n\nShows all resources (vaults and items) shared with you and your role.\n\nInvitation Management\nList pending invitations\npass-cli invite list\npass-cli invite list --output json\n\nAccept invitation\npass-cli invite accept --invite-token \"abc123def456\"\n\nReject invitation\npass-cli invite reject --invite-token \"abc123def456\"\n\nUser & Session Info\nView session info\npass-cli info\n\n\nShows: Release track, User ID, Username, Email.\n\nView detailed user info\npass-cli user info\npass-cli user info --output json\n\n\nShows: Account details, subscription, storage usage.\n\nTest connection\npass-cli test\n\n\nVerifies session validity and API connectivity.\n\nUpdates\n\nNote: Only for manual installations (not package managers).\n\nUpdate to latest version\npass-cli update\npass-cli update --yes # Skip confirmation\n\nChange release track\n# Switch to beta\npass-cli update --set-track beta\npass-cli update\n\n# Switch back to stable\npass-cli update --set-track stable\npass-cli update\n\nDisable automatic update checks\nexport PROTON_PASS_NO_UPDATE_CHECK=1\n\nObject Types\nShare\n\nA Share represents the relationship between a user and a resource (vault or item). Defines access and permissions.\n\nVault shares: Access to entire vault and all items within it\nItem shares: Access to a single specific item only\nRoles:\nViewer: Read-only access\nEditor: Read and write, can manage items (but not share or manage members)\nManager: Full control including sharing and member management\nOwner: Created the vault, only one who can delete it\nVault\n\nA container that organizes items. Items exist in exactly one vault.\n\nItem Types\nLogin: Username/password credentials with URLs, TOTP support\nNote: Secure text notes\nCredit Card: Payment card information (encrypted)\nIdentity: Personal information about a person\nAlias: Email aliases for privacy protection\nSSH Key: SSH private keys for authentication\nWifi: Credentials to access a WiFi network\n\nNote: Items are identified by Item ID, but this ID is only unique when combined with Share ID (ShareID + ItemID = globally unique).\n\nBest Practices\nSecurity\nUse web login for maximum compatibility (SSO, U2F)\nGenerate unique passwords for each account\nUse SSH keys stored in Pass instead of local filesystem\nLogout on shared systems\nRegularly review share permissions\nOrganization\nCreate separate vaults for different contexts (work, personal)\nUse descriptive titles for items and vaults\nSet default vault for frequently used vault\nConfigure default output format (JSON for scripts, human for interactive)\nAutomation\nStore credentials in files (not env vars) for better security\nUse Pass URIs for programmatic secret access\nLeverage JSON output for scripting\nInclude pass-cli logout in automation cleanup\nSharing\nUse principle of least privilege (start with viewer)\nPrefer vault shares for ongoing collaboration\nUse item shares for specific, limited access\nRegularly audit members and permissions\nDocker Usage\n\nRunning in Docker containers requires filesystem key storage (keyring unavailable):\n\n# 1. Ensure logged out\npass-cli logout --force\n\n# 2. Set filesystem key provider\nexport PROTON_PASS_KEY_PROVIDER=fs\n\n# 3. Login as normal\npass-cli login\n\n\nWhy filesystem storage?\n\nContainers cannot access kernel secret service\nD-Bus unavailable in headless environments\nFilesystem storage is the only option\n\n⚠️ Security note: Key stored side-by-side with encrypted data. Secure your container environment.\n\nTroubleshooting\nAuthentication issues\n# Check session status\npass-cli info\npass-cli test\n\n# Re-authenticate\npass-cli logout\npass-cli login\n\nNetwork issues\nVerify internet connectivity\nCheck firewall settings for Proton domains\nTest with pass-cli test\nPermission errors\nVerify your role: pass-cli share list\nEnsure you have required permissions for the operation\nContact vault owner to adjust permissions\nMissing resources\nCheck you're looking in the right vault\nVerify resource hasn't been deleted\nConfirm access hasn't been revoked\nCheck pending invitations: pass-cli invite list\nSecret reference resolution errors\n\n\"Invalid reference format\":\n\nEnsure format is pass://vault/item/field\nCheck for trailing slashes\nVerify all three components present\n\n\"Secret reference requires a field name\":\n\nAdd field name: pass://vault/item/field (not pass://vault/item)\n\n\"Field not found\":\n\nVerify field exists: pass-cli item view --share-id --item-id \nCheck field name spelling (case-sensitive)\n\nReference not found:\n\nCheck vault access: pass-cli vault list\nVerify item exists: pass-cli item list --share-id \nConfirm field name: pass-cli item view \nConfiguration\nLogging\n# Levels: trace, debug, info, warn, error, off\nexport PASS_LOG_LEVEL=debug\n\n\nNote: Logs are sent to stderr (won't interfere with piping/command integration).\n\nSession storage\n\nDefault locations:\n\nmacOS: ~/Library/Application Support/proton-pass-cli/.session/\nLinux: ~/.local/share/proton-pass-cli/.session/\n\nOverride:\n\nexport PROTON_PASS_SESSION_DIR='/custom/path'\n\nKey storage providers\n\nControl how encryption keys are stored with PROTON_PASS_KEY_PROVIDER:\n\n1. Keyring storage (default, most secure)\nexport PROTON_PASS_KEY_PROVIDER=keyring # or unset\n\n\nUses OS secure storage:\n\nmacOS: macOS Keychain\nLinux: Kernel-based secret storage (kernel keyring)\nWindows: Windows Credential Manager\n\nHow it works:\n\nGenerates random 256-bit key on first run\nStores in system keyring\nRetrieves on subsequent runs\nIf keyring unavailable but session exists, forces logout for security\n\nLinux note: Uses kernel keyring (no D-Bus required), works in headless environments. Secrets cleared on reboot.\n\nDocker limitation: Containers cannot access kernel secret service. Use filesystem storage instead.\n\n2. Filesystem storage\n\n⚠️ Warning: Less secure - key stored side-by-side with encrypted data.\n\nexport PROTON_PASS_KEY_PROVIDER=fs\n\n\nStores key in /local.key with permissions 0600.\n\nAdvantages:\n\nWorks in all environments (headless, containers)\nSurvives reboots\nNo dependency on system services\n\nWhen to use:\n\nDocker containers\nDevelopment/testing\nWhen system keyring unavailable\n3. Environment variable storage\n\n⚠️ Warning: Key visible to other processes in same session.\n\nexport PROTON_PASS_KEY_PROVIDER=env\nexport PROTON_PASS_ENCRYPTION_KEY=your-secret-key\n\n\nDerives encryption key from PROTON_PASS_ENCRYPTION_KEY (must be set and non-empty).\n\nGenerate safe key:\n\ndd if=/dev/urandom bs=1 count=2048 2>/dev/null | sha256sum | awk '{print $1}'\n\n\nAdvantages:\n\nPortable across all environments\nNo filesystem/keyring dependency\nUser controls key value\nWorks in CI/CD, containers, headless\n\nWhen to use:\n\nCI/CD pipelines\nContainers where filesystem persistence undesirable\nAutomation scripts\nExplicit control over encryption key needed\nTelemetry\n\nDisable telemetry:\n\nexport PROTON_PASS_DISABLE_TELEMETRY=1\n\n\nOr globally: Account security settings → Disable \"Collect usage diagnostics\"\n\nWhat's sent: Anonymized usage data (e.g., \"item created of type note\") - never personal/sensitive data.\n\nEnvironment Variables\nLogin credentials (interactive login)\nexport PROTON_PASS_PASSWORD='password'\nexport PROTON_PASS_PASSWORD_FILE='/path/to/file'\nexport PROTON_PASS_TOTP='123456'\nexport PROTON_PASS_TOTP_FILE='/path/to/file'\nexport PROTON_PASS_EXTRA_PASSWORD='extra-password'\nexport PROTON_PASS_EXTRA_PASSWORD_FILE='/path/to/file'\n\nSSH key passphrase\nexport PROTON_PASS_SSH_KEY_PASSWORD='passphrase'\nexport PROTON_PASS_SSH_KEY_PASSWORD_FILE='/path/to/file'\n\nUpdate checks\nexport PROTON_PASS_NO_UPDATE_CHECK=1\n\nInstallation\nexport PROTON_PASS_CLI_INSTALL_DIR=/custom/path\nexport PROTON_PASS_CLI_INSTALL_CHANNEL=beta\n\nCommon Workflows\nCreate and populate a new vault\n# Create vault\npass-cli vault create --name \"Project Alpha\"\n\n# List to get share ID\npass-cli vault list\n\n# Create login items\npass-cli item create login \\\n --share-id \"new_vault_id\" \\\n --title \"API Key\" \\\n --username \"api_user\" \\\n --generate-password \\\n --url \"https://api.example.com\"\n\n# Share with team\npass-cli vault share --share-id \"new_vault_id\" alice@team.com --role editor\n\nImport and use SSH keys\n# Import existing key\npass-cli item create ssh-key import \\\n --from-private-key ~/.ssh/id_ed25519 \\\n --vault-name \"SSH Keys\" \\\n --title \"GitHub Key\"\n\n# Load into SSH agent\npass-cli ssh-agent load --vault-name \"SSH Keys\"\n\n# Or start Pass as SSH agent\npass-cli ssh-agent start --vault-name \"SSH Keys\"\nexport SSH_AUTH_SOCK=$HOME/.ssh/proton-pass-agent.sock\n\nScripted access to secrets\n#!/bin/bash\n# Automated login\nexport PROTON_PASS_PASSWORD_FILE=\"$HOME/.secrets/pass-password\"\npass-cli login --interactive user@proton.me\n\n# Retrieve secret\nDB_PASSWORD=$(pass-cli item view \"pass://Production/Database/password\" --output json | jq -r '.password')\n\n# Use secret\nconnect-to-db --password \"$DB_PASSWORD\"\n\n# Cleanup\npass-cli logout\n\nApplication deployment with secrets\n#!/bin/bash\n# Create .env.production with secret references\ncat > .env.production << EOF\nNODE_ENV=production\nDATABASE_URL=pass://Production/Database/connection_string\nAPI_KEY=pass://Production/API/key\nSTRIPE_SECRET=pass://Production/Stripe/secret_key\nEOF\n\n# Deploy application with secrets injected\npass-cli run --env-file .env.production -- npm start\n\n# Or generate config file from template\npass-cli inject \\\n --in-file config.yaml.template \\\n --out-file config.yaml \\\n --force\n\n# Then run app with generated config\n./app --config config.yaml\n\nCI/CD pipeline integration\n#!/bin/bash\n# Login with environment variable key storage\nexport PROTON_PASS_KEY_PROVIDER=env\nexport PROTON_PASS_ENCRYPTION_KEY=\"${CI_PASS_ENCRYPTION_KEY}\"\nexport PROTON_PASS_PASSWORD_FILE=/run/secrets/pass-password\n\npass-cli login --interactive user@proton.me\n\n# Run tests with secrets\npass-cli run --env-file .env.test -- npm test\n\n# Deploy with secrets\npass-cli run --env-file .env.production -- ./deploy.sh\n\n# Cleanup\npass-cli logout\n\nNotes\nBeta status: Proton Pass CLI is currently in beta\nTrack switching: Only available for manual installations (not package managers)\nItem update limitations: Cannot update TOTP or time fields via CLI\nPassphrase recommendations: Passphrases optional for generated keys (already encrypted in vault)\nSSH agent refresh: Default 1 hour, customizable with --refresh-interval\nDocker containers: Must use filesystem key storage (PROTON_PASS_KEY_PROVIDER=fs)\nLinux keyring: Uses kernel keyring (no D-Bus), secrets cleared on reboot\nTelemetry: Anonymized only (no personal data), can be disabled\nSecret masking: Automatically masks secrets in run command output\nTemplate syntax: inject requires {{ }} braces, run uses bare pass:// URIs\nItem ID uniqueness: Item ID only unique when combined with Share ID\nCommand Reference Quick List\n\nAuthentication:\n\nlogin, logout, info, test\n\nVault:\n\nvault list, vault create, vault update, vault delete, vault share, vault member, vault transfer\n\nItem:\n\nitem list, item view, item create, item update, item delete, item share, item totp, item alias, item attachment\n\nSecret Injection:\n\nrun - Execute commands with secrets injected as environment variables\ninject - Process template files with secret references\n\nPassword:\n\npassword generate, password score\n\nSSH:\n\nssh-agent load, ssh-agent start\n\nSettings:\n\nsettings view, settings set, settings unset\n\nShare & Invite:\n\nshare list, invite list, invite accept, invite reject\n\nUser:\n\nuser info\n\nUpdate:\n\nupdate" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/KakatkarAkshay/proton-pass", "publisherUrl": "https://clawhub.ai/KakatkarAkshay/proton-pass", "owner": "KakatkarAkshay", "version": "1.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/proton-pass", "downloadUrl": "https://openagent3.xyz/downloads/proton-pass", "agentUrl": "https://openagent3.xyz/skills/proton-pass/agent", "manifestUrl": "https://openagent3.xyz/skills/proton-pass/agent.json", "briefUrl": "https://openagent3.xyz/skills/proton-pass/agent.md" } }